2
I know a little bit about how the @csrf_token from Laravel, but I’m facing a problem.
The code below is being added at the end of all my Views and this happens without me having implemented anything. Another detail is that it only happens if I access the application outside the same network, for example, my home. If access from the same network the code is not added.
Can someone please let me know if this is from my application? Because I’m using Laravel and this token does not seem to come from it, because there is nothing that implements this Javascript in it.
Code that is added at the end of each page:
<html>
<script language="JavaScript">
var tokenName = 'CSRF_TOKEN';
var tokenValue = 'dd0576475d5be8ed4dd7a7c3941d7168cadc8686';
function updateTags() {
var all = document.all ? document.all : document.getElementsByTagName('*');
var len = all.length;
for(var i=0; i<len; i++) {
var e = all[i];
updateTag(e, 'src');
updateTag(e, 'href');
}
}
function updateForms() {
var forms = document.getElementsByTagName('form');
for(i=0; i<forms.length; i++) {
var html = forms[i].innerHTML;
html += '<input type=hidden name=' + tokenName + ' value=' + tokenValue + ' />';
forms[i].innerHTML = html;
}
}
function updateTag(element, attr) {
var location = element.getAttribute(attr);
if(location != null && location != '' && isHttpLink(location)) {
var index = location.indexOf('?');
if(index != -1) {
location = location + '&' + tokenName + '=' + tokenValue;
} else {
location = location + '?' + tokenName + '=' + tokenValue;
}
element.setAttribute(attr, location);
}
}
function isHttpLink(src) {
var result = 0;
if(src.substring(0, 4) != 'http' || src.substring(0, 1) == '/') {
result = 1;
}
return result;
}
updateTags();
updateForms();
</script>
</html>
So I’m using the latest version 5.7. * and I use the @csrf tag on my Forms anyway at csrf -> @csrf. Use in page header also
Can you send how you are using @csrf on your Wall? What version of Laravel?
– Raphael Godoi
Add information at the end
– Vinícius Pereira Gonçalves
How are you applying to your header? Like this: <meta name="csrf-token" content="{{ csrf_token() }}">?
– Raphael Godoi
yes exactly as the doc
– Vinícius Pereira Gonçalves
Already tried to remove from the header, to see if the code still appears?
– Raphael Godoi
Yes, I’ve done it all! The most disturbing thing is that I left a view with no code and even so is injected this JS code on the page and is disturbing some things my atheist that did not get in the way. In the doc of the Laravel it does not speak of this!
– Vinícius Pereira Gonçalves
I believe that what is happening has nothing to do with Laravel but with some javascript library that you may be using in your project.
– Raphael Godoi
Are you developing the project from the beginning, or picked up an existing source code?
– Raphael Godoi
It doesn’t make sense because I did a test taking out all the Assets that call JS libraries and everything. And yet the code and how I left the view clean just it appears. There is almost nothing on the internet about.
– Vinícius Pereira Gonçalves